First of all we need to check whether the attack is from a specified IP
You can check the number of connections from an IP using the Following script
netstat -plan|grep :80|awk '{print $5}'|cut -d: -f 1|sort|uniq -c|sort –n
You can block the IP from which the attack is going on.
Reload the Firewall after added the IP to the server (Good firewall
such as CSF and APF can be used for this purpose)
Tools for limiting the Httpd attacks
Install mod security
The DDOS attacks are generally targeted on HTTP. So its always good to have a filtering system for apache . So that the request gets analyzed before web server handles it.
Installation step of mod_security in DSO (Dynamic Shared Object) mode below
# wget Download the mod_Security module from the appropriate server
# Untar It
# cd mod_
# /usr/local/apache/bin/apxs -cia mod_security.c
Create a file named mod_security.conf under the folder /usr/local/apache/conf
# vi /usr/local/apache/conf/mod_security.conf
Create the rule with reference to the link http://www.modsecurity.org/documentation/quick-examples.html
and add it in the mod_security.conf file.
Add the location of mod_security.conf to httpd.conf
# vi /usr/local/apache/conf/httpd.conf
Add the string below Include /usr/local/apache/conf/mod_security.conf
# /usr/local/apache/bin/apachectl stop
# /usr/local/apache/bin/apachectl start
3. You can install Mod_dosevasive in the server to protect against the DDOS attack
# wget Download the mod_evasive module from the appropriate server
# Untar It
# cd mod_evasive …
# $APACHE_ROOT/bin/apxs -iac mod_evasive.c
Change the variable ``$APACHE_ROOT'' . It’s the variable which stores the location of the apache installation (eg $APACHE_ROOT =/usr/local/apache)
# vi /usr/loca/apache/conf/httpd.conf
After this add the below code in httpd.conf
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
# /usr/loca/apache/bin/apachectl restart
No comments:
Post a Comment